Links

GCHQ Can You Crack It: Tips and Hints

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

I’ve had a deluge of email about the GCHQ Can You Crack It challenge, asking for everything from the complete solution to some pointers. So here I’ll give some tips and hints that’ll help you work your way through it.

GCHQ only hire British citizens:
If you’re seriously doing this to look for a job, bear in mind that GCHQ will only hire you if you’re a British citizen, and have lived in the UK for the last 10 years. It’s a fun challenge, but if you’re from Sweden you’re not going to get a job at the end of it (but thanks for all the emails guys!).

You’ll want some sort of VM environment:
Really, I shouldn’t need to say this to anyone – but don’t trust random code from the Internet. Especially if it’s clear it’s coming from one of the top government security organisations. Grab Virtual Box and Backtrack and keep your main OS safe. I should stress that there’s nothing dodgy with anything in this challenge – but this is good practise and should be the first thing you do when tackling anything unknown.

The code in the image doesn’t reveal the keyword:
Look at the hex in the image. Some of the numbers there just don’t map to ASCII or EBDIC – not even in some of the wilder code pages. It’s not that easy.

There are three stages to reveal the keyword:
As you solve each stage, it will lead you to the next. Once you’ve solved the third stage, you’ll have the keyword you need.

Look for patterns in the hex:
I shouldn’t be giving too much away by drawing your attention to patterns in the hex. Yes, there are 16 numbers across – a word length maybe? But instead look at what those numbers are. Repeated numbers or letters are usually the sign of some sort of underlying pattern. If you’ve done any shellcode you should recognise 90 90 as NOPs.

Why is the code in an image instead of just text or HTML?
Think about this. How can information be conveyed in an image. Visual, yes – but what else? It’s a PNG – what else could that tell you?

Test your Google-fu:
This can be viewed as a shortcut, but also a good way to see if you’re on the right track. What else is being hosted on the challenge site? Besides, as with everything, there’s more than one way to solve a problem.

You’ll need to be able to write code:
Not as in ‘encryption’, but as in ‘program’. I’ll be the first to admit my code is shocking – it’s very much ‘solve the problem at hand’ rather than writing something elegant or re-usable. You’ll need to raid your store of scripts, apps, and hacks. Have a search to find existing code that solves similar problems, and then modify it.

Don’t assume everything is straight ASCII:
I would suggest it’s a good idea of have a Base64 decoder (like the one I’ve written for Symbian phones) and an assembler/disassembler. You’ll need to have a good idea of how those things work – or you’ll need to put aside some time to get to grips with them before you proceed.

Hopefully these pointers will help answer – or lead to the answer – to the most common questions I’ve been asked so far. They shouldn’t give away too much of the game, but I’m hopeful that these tips will get you in the right mindset to crack on with the challenge (pun intended).

As with many puzzles like this – and with a lot of security related work in general – it’s not the raw skills that really matter. Don’t get disheartened because you can’t write in a certain language, or you scripting isn’t up to scratch. If you can think in the right way to see a way forward, to string together small hints of information to work out a plan, then you can quickly learn what you need to throw together a tool or script to help you.

At the end of the day, it’s that mindset that is the most useful and sought after skill in any security work.